Skip to content
Skip to search
Skip to footer

Compare Network Access Control Solutions

Contact Cisco

See Cisco ISE

Learn more about Cisco Identity Services Engine (ISE) and compare with other Network Access Control solutions.

Cisco ISE

ForeScout CounterACT

HPE ClearPass

Network Access

Passive Identification	ISE can provide passive ID for other systems	No passive authentication functionality	No passive authentication functionality
	ISE can provide passive ID for other systems	No passive authentication functionality	No passive authentication functionality
EasyConnect	ISE can authenticate users without using 802.1X	CounterACT can use SNMP-based access control instead of 802.1X	ClearPass can use SNMP to control network access for endpoints
	ISE can authenticate users without using 802.1X	CounterACT can use SNMP-based access control instead of 802.1X	ClearPass can use SNMP to control network access for endpoints
802.1X	ISE is a standards-based RADIUS server with a built-in certificate authority	LimitedCounterACT can proxy RADIUS requests to another RADIUS server	ClearPass includes an internal certificate authority that can be used for BYOD purposes
	ISE is a standards-based RADIUS server with a built-in certificate authority	CounterACT can proxy RADIUS requests to another RADIUS server	ClearPass includes an internal certificate authority that can be used for BYOD purposes
Third-Party Devices	ISE will interoperate with many third-party vendors using RADIUS and SNMP	CounterACT uses SNMP for network device integration	ClearPass ships with many third-party RADIUS dictionaries
	ISE will interoperate with many third-party vendors using RADIUS and SNMP	CounterACT uses SNMP for network device integration	ClearPass ships with many third-party RADIUS dictionaries
SAML	ISE supports any SAMLv2-compliant solution	No SAML support	LimitedClearPass supports SAMLv2 only when ClearPass is used with an Aruba wireless controller
	ISE supports any SAMLv2-compliant solution	No SAML support	ClearPass supports SAMLv2 only when ClearPass is used with an Aruba wireless controller
TACACS+	Provides full TACACS+ capability available on ACS 5.x and more	ForeScout offers TACACS+ client, but not the ability to do device administration	LimitedLacks features such as enable password, configuration presets for different NAD types, TACACS+ proxy
	Provides full TACACS+ capability available on ACS 5.x and more	ForeScout offers TACACS+ client, but not the ability to do device administration	Lacks features such as enable password, configuration presets for different NAD types, TACACS+ proxy

Visibility

Device Visibility	Cisco ISE uses multiple probes to provide a comprehensive view of the network	CounterACT has a number of methods for learning about devices on the network	ClearPass can use multiple profiling probes to identify endpoints connecting to the network
	Cisco ISE uses multiple probes to provide a comprehensive view of the network	CounterACT has a number of methods for learning about devices on the network	ClearPass can use multiple profiling probes to identify endpoints connecting to the network
Application Visibility	ISE provides application-level visibility and the ability to build policy about which apps can be installed or running	CounterACT can use calls or a software agent to show the administrator which applications are installed and running	ClearPass lets administrators set policy for endpoints with certain applications but does not offer app-level visibility
	ISE provides application-level visibility and the ability to build policy about which apps can be installed or running	CounterACT can use calls or a software agent to show the administrator which applications are installed and running	ClearPass lets administrators set policy for endpoints with certain applications but does not offer app-level visibility
Enhanced End-User Visibility	With context visibility, ISE lets the administrator glean detailed information about users accessing the network	CounterACT has the ability to integrate with Active Directory and other external sources for user information	ClearPass can integrate with multiple identity providers to show user information
	With context visibility, ISE lets the administrator glean detailed information about users accessing the network	CounterACT has the ability to integrate with Active Directory and other external sources for user information	ClearPass can integrate with multiple identity providers to show user information
Internet of Things	ISE can meet the demands of Internet-connected devices through authentication and device profiling	CounterACT can profile devices accessing the network and assign privileges based on device type	ClearPass can profile devices and allow the administrator to assign a different policy based on the profiles
	ISE can meet the demands of Internet-connected devices through authentication and device profiling	CounterACT can profile devices accessing the network and assign privileges based on device type	ClearPass can profile devices and allow the administrator to assign a different policy based on the profiles
Network Visibility	In addition to endpoint profiling, ISE can give the administrator a view into the network	CounterACT can automatically discover network devices	ClearPass provides ways to discover endpoints connected to the network via network devices
	In addition to endpoint profiling, ISE can give the administrator a view into the network	CounterACT can automatically discover network devices	ClearPass provides ways to discover endpoints connected to the network via network devices

Mobility

Guest Services	ISE has rich life-cycle support for guest services	LimitedCorporate branding can be challenging to complete	Requires additional expense for portal setup. Network access device configuration complexity.
	ISE has rich life-cycle support for guest services	Corporate branding can be challenging to complete	Requires additional expense for portal setup. Network access device configuration complexity.
BYOD	ISE has a closed-loop BYOD solution to include MDM integration	CounterACT supports BYOD as well as MDM	ClearPass supports BYOD, including internal certificate authority
	ISE has a closed-loop BYOD solution to include MDM integration	CounterACT supports BYOD as well as MDM	ClearPass supports BYOD, including internal certificate authority
MDM	ISE integrates with all major MDM vendors	CounterACT integrates with many MDM vendors	ClearPass supports MDM integration for multiple providers
	ISE integrates with all major MDM vendors	CounterACT integrates with many MDM vendors	ClearPass supports MDM integration for multiple providers
Location Services	ISE integrates with Cisco MSE for wireless location-based policy	CounterACT doesn't support location services for endpoints	ClearPass cannot integrate with location services
	ISE integrates with Cisco MSE for wireless location-based policy	CounterACT doesn't support location services for endpoints	ClearPass cannot integrate with location services

Threat Security

Posture	ISE supports application-level posture as well as USB detection	CounterACT has USB detection as well as application-level visibility	ClearPass provides posture for Windows, macOS, and Linux
	ISE supports application-level posture as well as USB detection	CounterACT has USB detection as well as application-level visibility	ClearPass provides posture for Windows, macOS, and Linux
Anomaly Detection	Starting with version 2.2, ISE can detect when endpoints try to masquerade as other endpoints	Through policy, CounterACT can detect when an endpoint is attempting to change its MAC address	ClearPass can detect and act when there is a conflict in the endpoint profile
	Starting with version 2.2, ISE can detect when endpoints try to masquerade as other endpoints	Through policy, CounterACT can detect when an endpoint is attempting to change its MAC address	ClearPass can detect and act when there is a conflict in the endpoint profile
Threat-centric NAC	ISE can use threat intellegence to build access policy	CounterACT uses Control Fabric and its ecosystem partners for threat information	ClearPass does not provide native integration with a vulnerability scanner
	ISE can use threat intellegence to build access policy	CounterACT uses Control Fabric and its ecosystem partners for threat information	ClearPass does not provide native integration with a vulnerability scanner
Rapid Threat Containment	ISE can leverage other security porfolio products to provide automatic detection and remediation of security events	Using Control Fabric, CounterACT can leverage threat information from its ecosystem partners	ClearPass can integrate with third-party security systems to provide access control
	ISE can leverage other security porfolio products to provide automatic detection and remediation of security events	Using Control Fabric, CounterACT can leverage threat information from its ecosystem partners	ClearPass can integrate with third-party security systems to provide access control

Architecture

Standardized API	In addition to APIs, ISE offers a scalable method for sharing context through pxGrid	CounterACT can use APIs to integrate with other network services	ClearPass provides both inbound and outbound APIs for sharing context
	In addition to APIs, ISE offers a scalable method for sharing context through pxGrid	CounterACT can use APIs to integrate with other network services	ClearPass provides both inbound and outbound APIs for sharing context
Internet Gateway	ISE can provision endpoints for Cisco Umbrella for on- and off-network protection
	ISE can provision endpoints for Cisco Umbrella for on- and off-network protection
Embedded Network Security	With Cisco network infrastructure, Stealthwatch, and TrustSec technology, ISE can offer scalable network protection and visibility		ClearPass can be used to consume logs from security systems and to provide protection from the events
	With Cisco network infrastructure, Stealthwatch, and TrustSec technology, ISE can offer scalable network protection and visibility		ClearPass can be used to consume logs from security systems and to provide protection from the events
Software-Defined Segmentation	ISE and TrustSec technology provide customers with a more scalable approach to network security	LimitedCounterACT primarily uses VLANs and ACLs to separate network traffic	ClearPass uses VLANs, ACLs, and roles for access control
	ISE and TrustSec technology provide customers with a more scalable approach to network security	CounterACT primarily uses VLANs and ACLs to separate network traffic	ClearPass uses VLANs, ACLs, and roles for access control
Group-Based Policies	ISE can leverage many sources to provide a rich set of tools for policy building	CounterACT can leverage external resources to build group-based policy	ClearPass can provide roles for Aruba network devices, but the roles are only for those devices and are not scalable
	ISE can leverage many sources to provide a rich set of tools for policy building	CounterACT can leverage external resources to build group-based policy	ClearPass can provide roles for Aruba network devices, but the roles are only for those devices and are not scalable

Download PDF

Not convinced?

See what SC Mag has to say about ISE.

Read the results